User`s guide
Miscellaneous Procedures 521
Administering Security Certificates for HTTPS and SSH on the OnSite
Configuring Security Certificates
OnSite generates its own self-signed SSL certificate for HTTPS. It is highly
recommended that you regenerate the local OnSite-generated certificate with
identifying data specific to your site, and that you at the same time initiate the
process of applying for an official certificate from a certificate authority, such
as VeriSign. Use of certificates from known CAs is recommended because
many browsers only accept signed certificates from known CAs.
The openssl.cnf file must exist for configuring security certificates. By
default, openssl looks for the file in /usr/local/ssl, as shown in the
following error message:
OnSite administrators cannot write into the /usr directory, so we
recommend putting the file into the /etc directory. The file can be
downloaded from the Internet or copied from Figure 8-1. The file must be
modified to suit your configuration.
Request, install, and configure a certificate
from a CA (certificate authority)
OR
Create your own local CA and generate a
local (less secure but more practical in some
environments)
Note: How to create your own CA is
outside of the scope of this document
“Enabling SSH to Use X.509 Certificates”
on page 528
Note: Installing and configuring a CA-
signed certificate is required both for
HTTPS and for the optional use of SSL
authentication based on the exchange of
certificates.
Configure SSH to accept X.509 certificates
from clients
“Enabling SSH to Use X.509 Certificates”
on page 528
Unable to load config info from /usr/local/ssl/openssl.cnf.
Table 8-3: Tasks for Administering Security Certificates (Continued)
Task Where Documented